third_party/WebKit/Source/core/layout/FloatingObjects.cpp - Issue 2322703002: Revert of Copy float list of ruby base when merging it with a sibling

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/core/layout/FloatingObjects.cpp

Issue 2322703002: Revert of Copy float list of ruby base when merging it with a sibling (Closed)

Patch Set: Created 4 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « third_party/WebKit/Source/core/layout/FloatingObjects.h ('k') | third_party/WebKit/Source/core/layout/LayoutRubyBase.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/layout/FloatingObjects.cpp

diff --git a/third_party/WebKit/Source/core/layout/FloatingObjects.cpp b/third_party/WebKit/Source/core/layout/FloatingObjects.cpp

index 3972c9d69f9998cf7847d98fbe07c521be9995a0..2dcf0d9e167aa0b28a6fd1f5f92c5f644361d5d8 100644

--- a/third_party/WebKit/Source/core/layout/FloatingObjects.cpp

+++ b/third_party/WebKit/Source/core/layout/FloatingObjects.cpp

@@ -64,7 +64,7 @@

m_type = FloatRight;

}

-FloatingObject::FloatingObject(LayoutBox* layoutObject, Type type, const LayoutRect& frameRect, bool shouldPaint, bool isDescendant, bool isLowestNonOverhangingFloatInChild)

+FloatingObject::FloatingObject(LayoutBox* layoutObject, Type type, const LayoutRect& frameRect, bool shouldPaint, bool isDescendant, bool isLowestNonOverhangingFloatInChild, bool performingUnsafeClone)

: m_layoutObject(layoutObject)

, m_originatingLine(nullptr)

, m_frameRect(frameRect)

@@ -76,7 +76,15 @@

, m_isInPlacedTree(false)

#endif

{

- m_shouldPaint = shouldPaint || shouldPaintForCompositedLayoutPart();

+ m_shouldPaint = shouldPaint;

+ // TODO(chrishtr): Avoid the following hack when performing an unsafe clone.

+ // This avoids a use-after-free bug due to the fact that we sometimes fail to remove

+ // floats from their container when detaching (crbug.com/619380). This is actually a bug in the

+ // floats detach machinery, which needs to be fixed, in which case this workaround can be removed.

+ // In any case, it should be safe because moving floats from one owner to another should cause layout,

+ // which will in turn update the m_shouldPaint property.

+ if (!performingUnsafeClone)

+ m_shouldPaint = m_shouldPaint || shouldPaintForCompositedLayoutPart();

}

bool FloatingObject::shouldPaintForCompositedLayoutPart()

@@ -113,7 +121,7 @@

std::unique_ptr<FloatingObject> FloatingObject::unsafeClone() const

{

- std::unique_ptr<FloatingObject> cloneObject = wrapUnique(new FloatingObject(layoutObject(), getType(), m_frameRect, m_shouldPaint, m_isDescendant, false));

+ std::unique_ptr<FloatingObject> cloneObject = wrapUnique(new FloatingObject(layoutObject(), getType(), m_frameRect, m_shouldPaint, m_isDescendant, false, true));

cloneObject->m_isPlaced = m_isPlaced;

return cloneObject;

}